Know Who Your Attackers Are
Corporations face threats from many avenues and the introduction of Internet use to corporate profiles increases those avenues. The types of threats remain fairly constant, for instance organizations have always faced the threat of loss of proprietary information. The Internet opens up the avenues for attack to the outside world as well as the inside world. Taking advantage of those avenues of attack are two categories of attackers, cyber attackers and corporate attackers.
Cyber attackers leverage the anonymity of the Internet to wage their attacks. Corporate attackers, on the other hand, take advantage of vulnerabilities within the organization to commit their acts. Each type of attacker fits a profile that explains their motivation and reasoning for performing such attacks.
The author performed a literary review of the various types of attacks and attackers. This review included examinations of their profiles and methods. The author included the results of this review in this paper.
Corporations embraced new methods of communication and conducting business when the Defense Advanced Research Projects Agency (DARPA) opened up Internet access to the public following the development of the Hyper Text Transfer Protocol (HTTP) by Tim Barnes-Lee. The article Cyber Attacks on the Rise (2005) proposed that the opinion of experts maintain that the tendency of companies to connect internal networks to the Internet for increased connectivity, performance, and efficiency resulted in granting increased access to those networks to outsiders as well.
Not all outsiders who could connect to an organization by means of the Internet are of concern; most individuals will not connect to networks if they have no reason to do so. However, there are groups that use the Internet for nefarious purposes. These groups include hackers, cybercriminals, cyber terrorists, and in some cases governments.
In recent years, the term hacker had been given a negative connotation. True hackers are motivated to discover what makes things tick through experimentation and being labeled a hacker was somewhat of an honor in the early days of hacking Hackers hold the distinction for much of the development of what people refer to as personal computers.
In the negative context of hackers, there are three classifications of hackers, which include black-hat hackers, white-hat hackers, and gray-hat hackers. White-hats and gray-hats concern themselves with discovering vulnerabilities in operating systems and applications with the intent of improving security. White-hats work for the software publishers and gray-hats are freelancers who hope to sell their discoveries to the publishers; gray-hats sometimes post their discoveries on the Internet when companies refuse to pay.
The black-hat hacker is the hacker that attempts to infiltrate corporate networks. Some black-hat hackers are highly gifted where technology is concerned. These hackers employ a meticulous methodology to plan attacks. Other black-hat hackers understand very little about the technology they employ and these hackers are referred to as script kiddies.
Black hat hackers are technically literate.
Kevin Poulsen, a notorious black-hat profiled by Raval and Fachadia (2007), was seduced by the dark side at an early age. The U.S. Department of Defense (DoD) employed him to test Pentagon computer security as an alternative to prosecution for early crimes. Kevin was a hacker during his employment with the DoD and was eventually “sought by authorities for jacking into databases detailing the federal investigation of Ferdinand Marcos and hacking FBI computers to reveal details of wiretaps on foreign consulates, suspected mobsters, and the American Civil Liberties Union” (p. 259). Kevin ran to avoid prosecution and continued his exploits while in hiding. The most successful exploits while on the run culminated in taking control of the communications systems of a Los Angeles radio station, which permitted Kevin to manipulate the incoming calls to the station so he could win three Porsches, a couple Hawaii vacations, and $20,000
Kevin’s success at eluding authorities led to his being profiled on the TV show Unsolved Mysteries. Raval and Fachadia (2007) stated that Kevin was able to hack into the network’s phone system and prevent viewers from making any reports. However, he was eventually abducted when some of the feature’s viewers recognized him in a supermarket. Kevin faced stringent penalties at the time, including restrictions from computer use after his prosecution. “He now is a legitimate computer security consultant and an editorial director and columnist for SecurityFocus.com, a well known organization dedicated to security issue” (p. 259).
Script Kiddies possess limited understanding.
Script kiddies typically do not understand the technology they use or the consequences of their actions. Many security consultants claim that script kiddies may be the hardest hackers to protect against because there is no method to their actions. They simply download tools from the Internet then in many cases plug in a range of IP addresses to see what happens.
These hackers are typically younger individuals with plenty of time on their hands, middle school and high school students or dropouts with unrestricted Internet access. They do not necessarily harbor any malice toward their victims; they simply wish to cause trouble for whatever victims their scripts find, whether individuals, corporations, or government agencies.
Raval and Fachadia (2007) profiled the case of a Distributed Denial of Service (DDoS) attack that occurred in 2009 and severely affected the ability of Yahoo, Buy.com, e-bay, Amazon.com, and about seven other organizations to conduct business on those organizations’ e-commerce sites. The attack crippled those organization’s networks and Raval and Fachadia (2007) claimed the amount of loss experienced by those organizations to be a combined 1.7 billion dollars.
The combined effort of the Canadian Royal Mounted Police and the U.S. FBI eventually identified the perpetrator, who they named “Mafiaboy” (p. 282), At 16 years of age; Mafiaboy was able to download all the tools he needed to launch those attacks from the Internet. He required little knowledge to download or use the tools but the results of his exploits were devastating. “In September 2001, he was sentenced to eight months in a youth detention center and was fined a mere $160” (p. 282).
“Targeted attacks against financial networks, unauthorized access to information, and the theft of personal information is sometimes known as cybercrime” (Ciampa, 2009, p. 18).
Cybercrime is not a new type of crime but a new method of committing existing types of crime, for instance fraud. Any crime in which an Internet connected computer is used to commit the crime or aid in the commission of the crime is a cybercrime. Ciampa (2009) characterized cybercriminals as “a loose-knit network of attackers, identity thieves, and financial fraudsters. These criminals are described as being more highly motivated, less risk-averse, better funded, and more tenacious than hackers” (p. 17).
Financial gain is the single motivating factor for cybercriminals and many cybercrime attacks originate from Eastern European countries. Ciampa (2009) referenced an affidavit from the FBI that warned “one Eastern European cybercriminal holds the title of ‘Godfather’ for ‘an international ring of computer hackers and Internet fraudsters that has ... trafficked in millions of stolen credit card numbers and financial information’” (p. 18).
Cybercriminal attacks typically focus more on a particular target than hacker attacks do and cybercriminals often take measures to hide their activities from detection. Cremonimi and Nizovtsev (n.d.) stated that victims might detect data streams left by an attacker as an attack progresses. Victims may then make the correlations to attacks as they observe more suspicious data streams.
Successfully detecting an attack increases the likelihood that the attacker would be prosecuted and cybercriminals therefore go to great lengths to cover their tracks. Cybercriminals expect large payoffs from their attacks. As stated by Crenonimi and Nizovtsev (n.d.), attackers place a cost factor on the effort required to exploit a specific system and the likelihood of the discovery of their actions. When an attacker decides that the cost factor to attack a specific system outweighs the expected payoff, the attacker may move on to a less costly system to infiltrate.
Cyber terrorists use the Internet to wage attacks based on ideology. Like other terrorists, their motivation is to create panic. Many cyber terrorist attacks simply result in the defacement of websites to spread messages. However, Ciampa (2009) stated that concern is growing among security professionals that cyber terrorists may shift their focus to national infrastructure components to elevate the amount of panic caused by their activities.
In 2009 the stock market experienced what Hayes (2010) referred to as a flash crash. The crash involved the frequency in which automated trading systems performed trades. A Congressional hearing investigated the matter and one possible cause looked at by Congress was that of cyber terrorism. Roger Thompson of AVG, as cited by Hayes (2010), stated that a more likely cause was “some criminal bank trying to find a way to ‘game’ the stock market system for their profit, … These guys, however, do not want to cut down the apple tree, they just want to shake it and pick-up whatever falls off” (p.53).
In 2001, the governments of Estonia experienced a DoS attack and the Government of Georgia experienced one in 2008. Denning and Denning (2010) proposed that these attacks led to the accusation that Russia was involved in acts of cyber warfare. “China was blamed for infiltrating and stealing sensitive data from Google's network and other targets in 2009” (p. 29). Some security experts believe that cyber warfare attacks are currently being waged.
The United States government has established a branch of service dedicated to cyber warfare and some experts believe that attacks are already under way. The identity of the origin of the worm that disabled centrifuges in Iran has not been released. Cyber warfare attacks may be less costly in regard to the number of lives lost from an attack than attacks using traditional means. “However, people who would accept these ends might also worry about the same tools being used for other ends, such as a government agency spying on its citizens” (Denning & Denning, 2010, p. 3).
Cyber attacks originate from outside an organization but corporations face internal threats as well. “Even though ‘hackers’ are out looming on corporate security perimeters, insiders will always be a large threat to an organization. They have access to critical resources, both physical and digital, in their workplace” (Garcia, 2009, p. 2). Individuals with inside connections to corporations and corporate employees comprise the ranks of corporate attackers.
Extortionists and Spies
Inside connections to a corporation may lead an individual to various corporate attacks. The incidents that culminated at Enron and Arthur Anderson in 2001 and 2002 raised serious questions in the public’ eye concerning the credibility of the accounting profession and auditing firms (Earley & Kelly, 2004). Fraud committed by insiders at Enron was overlooked by the auditors at Arthur Anderson and these corporate attacks led to the bankruptcy of one corporation and the loss of public confidence for another.
Ciampa (2009) explained that spies steal proprietary corporate information, which they often sell to competitors. Access to sensitive information is a defining characteristic for spies and that access leads competitors to recruit and employ corporate spies. Downsizing at many organizations may also lead individuals to spy on their employers. Garcia (2009) cited a survey of professionals in the IT industry that demonstrated “a sharp rise in the percentage of respondents that would take proprietary data in 2009 compared to 2008” (p. 3).
Which group of attackers poses the greatest threat to organizations?
Ciampa (22009) claimed that employees pose the highest security threat to corporations. Some employees commit attacks without even knowing the risks or consequences of their actions. An employee may explore proprietary information simply because he can. An employee may be blackmailed into spying on a company. “On other occasions, disgruntled employees may be intent on retaliating against the company” (p 17).
One type of threat can only manifest from within a corporation by an employee of that corporation, that threat is sabotage. A report by the Carnagee Mellon Computer Emergency Response Team (CERT), as cited by Garcia (2009), demonstrated that 80 of 190 threat cases perpetrated by insiders between 1996 and 2007 involved sabotage. “Of those 80 cases, 75 of them were not linked to financial gains by the saboteur. More than half of the insiders were seen as disgruntled and most acted out due to a negative event in the workplace” (p. 3).
Introducing the Internet to the operations profiles of corporations has increased the avenues of attack that those corporations face. Along with the risks posed by corporate attackers, corporations face attacks that originate from cyberspace. Cyber attackers pose the same types of threats as corporate attacks but from a different avenue.
Individuals and organizations that conduct cyber attacks may be classified as hackers, cybercriminals, cyber terrorists, and sometimes governments. Each of these groups fit certain profiles, which include the motivational factors for conducting the exploits. Fame motivates hackers, money motivates cybercriminals, ideology motivates cyber terrorists, and political issues motivate governments.
Although the Internet provides new avenues for attack, internal avenues still exist. These internal threats are exploited by individuals or organizations with close ties to the corporation. Most corporate attacks are committed by employees, many of whom are disgruntled by activities at the work place. However, key individuals within a corporation also pose threats of attack in the form of fraud and insider trading.
- Ciampa, M. (2009). Who are the attackers? In Security+ Guide to Network Security Fundamentals (3rd ed.). Boston, MA: Course Technology.
- Corporate CyberAttacks on the Rise. (2005). Information Management Journal , 39 (4), 20. Retrieved from the EBSCOhost database.
- Understanding and influencing attackers' decisions
Cremonini, M., & Nitzovtsev, D. (2006). Understanding and influencing attackers' decisions: Implications for security investmentstrategies.
- Denning, P. J., & Denning, D. E. (2010). The profession if IT discussing cyber attack. Communications of the ACM , 53 (9), 29-31. doi:10.1145/1810891.1810904
- Earley, C. E., & Kelly, P. T. (2004). A note on ethics educational intervention in an undergraduate auditing course: Is there an "Enron Effect"? Issues in Accounting Education , 19 (1), 53-71.
- Mitigating insider sabotage.
Garcia, J. (2009). Mitigating insider sabotage. Sans Institute Reading Room , 1-29.
- Hayes, J. J. (2010). The terrorss and the errors [cyber-terrorist attack. Engineering and Technology (17509637) , 5 (14), 52-53. doi:10.1049/et.2010.1413
- Raval, V., & Fachadia, A. (2007). Chapter 11: Network security. Risks, Controls, and Security Concepts and Applications. Hoboken, NJ: Wiley.